Cybersecurity: The Hackers Are Already Through The Utilities’ Doors, So What’s Next?

Cybersecurity Hackers- In a recent conversation on the topic of cybersecurity, Ray Rothrock – CEO of cybersecurity firm RedSeal, and author of the 2018 book Digital Resilience – offered some interesting and sobering insights on the state of the cyber world and utilities. He commented that hackers are already likely sitting in various U.S. utility systems and reconnoitering, in what the Department of Homeland Security calls an Advanced Persistent Threat mode. The critical question, then, is what to do about that fact, and how to create resilient responses.

Ray Rothrock has been around the electric power and software worlds for a long time. He began his career as a nuclear engineer and spent five years at the Yankee Rowe nuclear plant in western Massachusetts, but then went off to Silicon Valley, eventually joining up with Sun Microsystems. Rothrock then found his way to the venture capital world, leading VC firm Venrock where he spearheaded the firm’s energy and Internet strategies until he retired in 2013.

Retirement did not last long: the following year, RedSeal – one of Venrock’s portfolio companies – came calling looking for a new CEO. In the past five years, he has refocused the firm on the mission of digital resilience, supporting various sectors including government, finance, retail, healthcare, insurance and utilities.

Utility networks are relatively straightforward, but management is insufficiently focused on cyber-protection

He characterizes the typical utility system as being “fairly simple networks as networks go, and they do fairly straightforward things.” The challenge is that they have grown organically over decades, in response to challenges and opportunities, “but probably not kept up to date in terms of latest thinking and architecture.” However, although they are vulnerable owing to their architectures, he indicates, “they are simple networks, so they are relatively easy to fix and understand.” In addition, the North American Electric Reliability Corporation (NERC) – the entity that governs such things – has specific regulations about how grids should be maintained and how risk should be managed.

For some, though, this creates the risk of a “check-the-box” mentality rather than development of a true culture of basic ‘cyber hygiene.’ The latter involves proactive and continuous training of staff to increase and maintain awareness of the threat (for example, to avoid falling for spear-phishing attempts in which employees click on infected attachments – the method used by hackers to infiltrate the Ukrainian electric distribution companies in 2015) and development of other good practices.

Unfortunately, Rothrock sees a troubling lack of attention to cyber best practices at some utilities. He commented,

It is so much common sense to do it that way yet so many people object to it. A good utility network has only 50 or 100 routers. That’s a tiny network today. Yet it controls enormous resources and controls a very important infrastructure. I am perplexed by lack of attentiveness by management – that’s not so hard to do.”

In a distributed world, attack surfaces multiple rapidly and grid edge devices can become weapons

The problem gets worse as the growth of distributed networks of assets create potentially critical issues. The population of these devices is huge and multiplying rapidly. Consulting firm Wood Mackenzie estimates that there are currently 30 million grid-connected assets out there in U.S. homes today, with millions more to come. The company forecasts 88,000 megawatts (MW) of ‘residential flexible potential’ by 2023 (by way of context, the total generation capability of the Texas grid is just under 80,000 MW).

Read More Here

Article Credit: Forbes

The post Cybersecurity: The Hackers Are Already Through The Utilities’ Doors, So What’s Next? appeared first on erpinnews.